On 10/25/2016 08:26, Rich Kulawiec wrote:
On Fri, Oct 21, 2016 at 10:53:42PM -0700, Ronald F. Guilmette wrote:
Recent events, like the Krebs DDoS and the even bigger OVH DDoS, and
today's events make it perfectly clear to even the most blithering of
blithering idiots that network operators, en mass, have to start scanning
their own networks for insecurities.
And start monitoring their own networks for *outbound* attacks. Too many
people focus exclusively on inbound attacks, never realizing that every
attack inbound to them is outbound from somewhere else.
What is it? 20 years? since the first time I was banned from NANOG for
saying that the world would be a nicer place if EVERY true router
refused to forward a packet whose SOURCE could not be reached from the
port question. (May not be stated clearly, but idea seems simple
enough: If the proposed ICMP message would not be routed to the port
the packet came from, the best plan is probably to log the event and
drop the ICMP and the rogue packet on the floor.)
--
"Everybody is a genius. But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."
--Albert Einstein
From Larry's Cox account.
